Impact
The LoginPress Pro plugin, up to version 6.2.2, contains a flaw that permits an unauthenticated attacker to elevate privileges within a WordPress site. This issue is classified as a privilege escalation vulnerability (CWE-266) and is rated with a CVSS score of 9.8, indicating a high likelihood of severe damage if exploited. In practice, an attacker could gain administrative access or modify site settings without needing valid credentials.
Affected Systems
WordPress sites running the LoginPress Pro plugin version 6.2.2 or earlier are affected. The vulnerability applies to all installations of the LoginPress Pro plugin for WordPress where the plugin has not been updated to at least version 6.2.3. Hosts must verify the plugin version and check for any custom configurations that might expose the plugin to the web.
Risk and Exploitability
The CVSS score of 9.8 signals a critical threat level, while the EPSS score is currently not available, indicating that no publicly disclosed exploitation frequency is recorded yet. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is sending unauthenticated HTTP requests to the affected WordPress instance, potentially using automated scripts to locate the vulnerable plugin endpoint. Because no authentication is required, the attack window is wide and could affect any visible site that has the plugin installed.
OpenCVE Enrichment